Welcome - Sharing information with the community related to Microsoft SharePoint security, information protection and permissions. Topics will also cover identity federation, claims and software development. Articles will at times be technical and focussed at developers/architects. They will also be higher level and discuss concepts and customer use cases. Have a look around, share your thoughts and I do hope you find some helpful content.

Follow me on Twitter @AntonioMaio2

Monday, August 31, 2015

Many enterprises are looking at hybrid scenarios as part of their journey to a cloud based infrastructure, and one of the base scenarios or requirements for a hybrid cloud deployment is the synchronization of corporate identities (user accounts) from an on premise Active Directory (AD) environment to Office 365. I've written several articles on this topic, and I often talk about 2 critical steps in the process:

Both operations can be performed manually in your on premise AD administration console, and in the Azure AD administration console in Office 365. However, when you're dealing with a moderate to large number of users its often in practical to use the administration console GUIs for either step.

Activating Office 365 Users Through PowerShell

In this post I'll talk about how you can use PowerShell to activate Office 365 users once they're synchronized to Azure AD.

When synchronizing users with Azure ADConnect, the server hosting ADConnect will automatically have Windows Azure Active Directory Module for Windows PowerShell installed as part of that deployment, which is the PowerShell module you'll be using. You can run the following PowerShell commands on that server. Alternatively you can download and install the following 2 components:

Connecting to Office 365

Launch Windows Azure Active Directory Module for Windows PowerShell. Ensure you launch it as an Administrator.

Connect to your Office 365 tenant by using Connect-MsolService. This command does not take any parameters.

A dialog will popup asking you for your service administrator username and password. Enter them and click OK. Once successfully connected, your PowerShell window will look like the following:

To view the list of available PowerShell commands with this module type Get-Command -Module MSOnline.

Get a List of Office 365 Users

To retrieve a list of Office 365 users you can use the command Get-MsolUser. This will display a list of all users in your Office 365 tenant, including their User Principal Name, Display Name and whether or not they have a license. Notice how both licensed and unlicensed users are shown in the following list:

If you only wish to see a list of unlicensed users then you can call the same command with a parameter for unlicensed users only: Get-MsolUser -UnlicensedUsersOnly.

If you are working with a large number of users, consider using the -MaxResults parameter along with the -UnlicensedUsersOnly parameter. For example, you can call: Get-Msoluser -UnlicensedUsersOnly -MaxResults 1000. If -MaxResults is not specified, a default value of 500 is used.

Activating Office 365 Users

Before you can activate Office 365 users, we must first set the location of each user. Microsoft requires this because the services it can offer to users is based on their location.

The 2 character country code is used to set a location for each user. So for Canada you use "CA" and for the United States you use "US". Other applicable country codes can be found here: two letter ISO code list. You can set the location for an Office 365 user by calling: Set-MsolUser -UserPrincipalName "<user's upn>" -UsageLocation "US".

Here we specify the user by specifying their UPN by using the -UserPrincipalName parameter.

Once you have set a location for each user, you'll now require the name of your license SKU. You can find this information by calling Get-MsolAccountSku. This will return a string that's typically named <domain name>:ENTERPRISEPACK as in the following example:

Notice, the number of active units (available licenses), warning units and consumed units (assigned licenses) are displayed. The number of licenses available to you will be Active - Warning - Consumed. So in my case I have 19 licenses available that I can assign.

To assign a license to a specific user use the following PowerShell command: Set-MsolUserLicense -UserPrincipalName "<user's upn>" -AddLicenses "<your license SKU>". After running this command and then running Get-MsolUser again we can see that our user Nori.Dwarf@maiolabs.com now has a license, as in the following example:

Combine PowerShell Commands to Activate Users in Bulk

We can combine the PowerShell commands shown in order to assign a location and license to users in bulk, as in the following examples:

Azure ADConnect provides a fantastic tool for synchronizing users from on premise Active Directory to Office 365 and keeping them synchronized. However, activating users is still a critical step in enabling users to access Office 365 services, and when activating users in bulk using PowerShell will save considerable time over using the administration console GUI.

5 comments:

nice piece of information, I had come to know about your internet site from my friend vinay, delhi,i have read atleast 4 posts of yours by now, and let me tell you, your website gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new post, once again hats off to you! Thanx a ton once again, Regards windows azure training in hyderabad

Really informative article and thanks for sharing experience with us. Actually, I found this much informative, actually I am searching Python Job Support but your post gave me new direction. Thanks, Keep it up.

About Me

Antonio Maio is an information security architect with over 25 years of experience in cyber security practices and systems, product management, software development and leadership. Antonio is currently a Senior Manager and Senior SharePoint Architect with Protiviti. He has been awarded a Microsoft Most Valuable Professional award for 5 consecutive years, from 2012 to 2016, specializing in Microsoft SharePoint Server, Office 365 and Office Services. His background includes implementing cryptography and PKI systems, information security technologies, and both information governance and cybersecurity best practices. His experience with Microsoft SharePoint and Office 365 extends over the last 10 years. When he’s not helping enterprise, military or government organizations solve security challenges, you can catch him speaking at conferences or contributing to the community through this blog. In his spare time, Antonio likes to oil paint, run, make wine, read and spend time with his family.